commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: [validator] Password fields [WAS] Re: cvs commit: jakarta-commons/validator/src/javascript/org/apache/commons/validator/javascript validateMaxLength.js validateMinLength.js
Date Wed, 08 Oct 2003 05:24:21 GMT
Robert Leland wrote:

> David Graham wrote:
>
>> The validation rules are only exposed if you use Struts' 
>> <html:javascript>
>>  
>>
> Not true they are exposed by server side validation also. The error 
> messages clearly state the min/max
> values.

But even that is only exposed if you use the validator framework's 
minLength checks.  If I didn't want to expose the fact that I cared 
about such things, I'd use two different validation mechanisms:

* On the login screen, I'd use nothing except (perhaps) a "required" 
validation.

* On the admin screen that lets me change my own password, I'd write a 
custom validator
  method + appropriate JavaScript -- or, more likely, implemented this 
as a server side check
  that approved a proposed password (minimum length, appropriate mixture 
of letters and
  digits, not in a dictionary, ...) without exposing *anything* about 
why a password might
  get rejected.

Of course, there's a usability issue here, too ... if you impose 
particular rules for passwords in the code but don't tell your users 
about what the rules are, you're bound to frustrate them when they try 
to set their own passwords to a new value, but don't know why you're not 
allowing the proposed value.

Anyone who objects to exposing a "minimum password length" rule to the 
general public shoudn't be employing such a validation rule on their 
login screens in the first place.

>
>>
>> I'm still -1 on this last commit for the reasons stated.  Please revert
>> this change to not validate password fields in the javascript.
>>
>>  
>>
> +1, will do it tomorrow.


Craig



---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org


Mime
View raw message